For complying with SOC2, ISO 27001:2022 and other frameworks, and also strenthening the security of your AWS account, it is important to have Intrusion Prevention Systems (IPS) and Intrusion Detection Systems (IDS) in place.

This guide will help you to achieve the same using Amazon GuardDuty,  AWS WAF and AWS Network Firewall.

GuardDuty

Amazon GuardDuty is a threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and delivers detailed security.

‍
1. Open the GuardDuty console at https://console.aws.amazon.com/guardduty/
2. Select the Amazon GuardDuty - All features option.
3. Choose Get started.
4. On the Welcome to GuardDuty page, view the service terms. Choose Enable GuardDuty.

WAF

AWS WAF helps you create security rules that control bot traffic and block common attack patterns such as SQL injection or cross-site scripting on your network.

1. Sign in to the AWS Management Console and open the AWS WAF console at https://console.aws.amazon.com/wafv2/.
2. Choose Web ACLs in the navigation pane, and then choose Create web ACL.
3. For Name, enter the name that you want to use to identify this web ACL. (Note: You can't change the name after you create the web ACL.)
4. For Description, enter a longer description for the web ACL if you want to.
5. For CloudWatch metric name, change the default name if applicable. Follow the guidance on the console for valid characters. The name can't contain special characters, white space, or metric names reserved for AWS WAF, including "All" and "Default_Action." (Note: You can't change the CloudWatch metric name after you create the web ACL.)
6. Under Resource type, choose the category of AWS resource that you want to associate with this web ACL, either Amazon CloudFront distributions or Regional resources.
7. For Region, if you've chosen a Regional resource type, choose the Region where you want AWS WAF to store the web ACL.
8. Choose Next.
9. If you want to add managed rule groups, on the Add rules and rule groups page, choose Add rules, and then choose Add managed rule groups.
10. Choose the default action for the web ACL, either Block or Allow. This is the action that AWS WAF takes on a request when the rules in the web ACL don't explicitly allow or block it.11. Choose Next.
12. In the Review and create web ACL page, check over your definitions. If you want to change any area, choose Edit for the area. Make any changes, then choose Next through the pages until you come back to the Review and create web ACL page.
13. Choose Create web ACL. Your new web ACL is listed in the Web ACLs page.

Network Firewall

While AWS WAF analyzes HTTP traffic, filtering malicious requests and blocking attacks like SQL injection and cross-site scripting that target web application vulnerabilities, the network firewall focuses on network-level traffic filtering. It is required for IPS as it provides you deep packet inspection (DPI), application protocol detection, domain name filtering, and intrusion prevention system (IPS).

1. Sign in to the AWS Management Console and open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

2. In the navigation pane, under Network Firewall, choose Firewalls.
3. Choose Create firewall.
4. For Name, enter the name that you want to use to identify this firewall. You can't change the name of a firewall after you create it.
5. For VPC, select your VPC from the dropdown.
6. For Availability Zone and Subnet, select the zone and firewall subnet.
7. For Associated firewall policy, choose Associate an existing firewall policy, then select the firewall policy. Else, create a new one.
8. Choose Create firewall.

‍